add some files

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded

tasks/main.yml

@@ -8,6 +8,37 @@
   retries: 3
   until: apt_result is succeeded
 
+- name: Copy snippets
+  template:
+    src: "snippets/{{ item }}"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - connection_upgrade.conf # fix some nginx bug
+
+- name: Ensure the cert directory exists
+  file:
+    path: /etc/nginx/certs
+    state: directory
+
+- name: Create a dummy cert
+  block:
+    - name: Generate private key
+      openssl_privatekey:
+        path: /etc/nginx/certs/dummy.key
+        mode: u=rw,g=,o=
+        size: 4096
+    - name: Generate the signing request
+      openssl_csr:
+        path: /etc/nginx/certs/dummy.req
+        privatekey_path: /etc/nginx/certs/dummy.key
+        common_name: dummy
+    - name: Sign Cert
+      openssl_certificate:
+        path: /etc/nginx/certs/dummy.pem
+        privatekey_path: /etc/nginx/certs/dummy.key
+        csr_path: /etc/nginx/certs/dummy.req
+        provider: selfsigned
+
 - name: Add wasm to mime type
   lineinfile:
     path: /etc/nginx/mime.types
@@ -17,3 +48,14 @@
     group: root
     mode: '0644'
     insertbefore: '}'
+
+- name: Copy NGINX conf
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Create the SSL reverse proxy conf
+  template:
+    src: stream_rp.conf
+    dest: /etc/nginx/stream_rp.conf
+    force: no

templates/nginx.conf

@@ -0,0 +1,59 @@
+{{ ansible_managed | comment }}
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 768;
+    #worker_processes auto; # <- default is 1
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    gzip off; # compression and crypto don't mix
+
+    # include /etc/nginx/conf.d/*.conf;  # Ansible
+    include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+    include /etc/nginx/stream_rp.conf;
+
+    # Proxy request from the back end address
+    map $ssl_preread_server_name $name_from_back {
+        acme-v02.api.letsencrypt.org    acme;
+        r3.o.lencr.org                  r3;
+        default            self-back;
+    }
+    upstream acme {
+        server acme-v02.api.letsencrypt.org:443;
+    }
+    upstream r3 {
+        server r3.o.lencr.org:443;
+    }
+    upstream self-back {
+        server 127.0.0.1:9443;
+    }
+    server {
+        listen 192.168.10.1:443;
+        proxy_pass $name_from_back;
+        ssl_preread on;
+    }
+}

templates/snippets/connection_upgrade.conf

@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+

templates/stream_rp.conf

@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+map $ssl_preread_server_name $name_from_front {
+    default         self;
+}
+upstream self {
+    server 127.0.0.1:8443;
+}
+server {
+    listen 172.20.198.2:443;
+    proxy_pass $name_from_front;
+    ssl_preread on;
+ }